The Online Marketer’s Guide to Privacy

I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking). I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites. If I had to give you three simple rules they would be:

1. Disclose what you do in plain English;

2. Avoid storing or transmitting Personal Health Information if you can; and

3. Avoid marketing to minors if you can.

At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.

COPPA

Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here. COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think. Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement. The FTC recently rejected the idea of using the social graph.

HIPAA

In September, there were changes to HIPAA – the law governing the privacy of health information. If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.” If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.

A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.

So the issue becomes whether you store or otherwise have access to Personal Health Information. Again, the analysis is not that simple. See here. You need to know both email and IP addresses are covered which is pretty basic information for online marketers.

The specifics of your marketing strategy will determine whether you need to be concerned. The point of this blog post is to make you think about it. Here is one marketer’s take on the issue. If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer. If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.

The FTC

The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.

The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals. The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.

Finally, there is the EU requirements on privacy. Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1. Give a notice of what you collect and what you do with it and how individuals can ask about it.

2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3. Ensure that the company to whom you transfer data also had adequate protections.

If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.

This post does not and cannot answer every question. Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.